Bug 503523

with strace:
--------------
[root@shine ecc]# strace -o strace.log modutil -dbdir /var/lib/pki-ca/alias/ -changepw "Certicom
FIPS Cert/Key Services"

------------------
[root@shine ecc]# tail -30 strace.log 
ioctl(6, SNDCTL_TMR_CONTINUE or TCSETSF, {B38400 opost isig icanon echo ...}) = 0
close(6)                                = 0
munmap(0x2b231c5da000, 4096)            = 0
close(7)                                = 0
munmap(0x2b231c5d9000, 4096)            = 0
open("/root/.certicom/sbcp/sbcppri.db", O_RDONLY|O_NONBLOCK|O_DIRECTORY) = 6
fstat(6, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
fcntl(6, F_SETFD, FD_CLOEXEC)           = 0
close(6)                                = 0
open("/root/.certicom/sbcp/sbcppri.db/x00", O_RDONLY) = 6
fstat(6, {st_mode=S_IFREG|0600, st_size=410, ...}) = 0
fstat(6, {st_mode=S_IFREG|0600, st_size=410, ...}) = 0
read(6, "0\202\1\226\2\1\0030\202\1P\6\t*\206H\206\367\r\1\7\1\240\202\1A\4\202\1=0\202"..., 410) = 410
fstat(6, {st_mode=S_IFREG|0600, st_size=410, ...}) = 0
close(6)                                = 0
open("/root/.certicom/sbcp/sbcpuser.db", O_RDONLY|O_NONBLOCK|O_DIRECTORY) = -1 ENOENT (No such file or directory)
open("/root/.certicom/sbcp/sbcpuser.db", O_RDONLY|O_NONBLOCK|O_DIRECTORY) = -1 ENOENT (No such file or directory)
write(2, "ERROR: Unable to change password"..., 77) = 77
lseek(3, 0, SEEK_SET)                   = 0
write(3, "\0\6\25a\0\0\0\2\0\0\4\322\0\0@\0\0\0\0\16\0\0\1\0\0\0\1\0\0\0\0\10"..., 260) = 260
close(3)                                = 0
lseek(4, 0, SEEK_SET)                   = 0
write(4, "\0\6\25a\0\0\0\2\0\0\4\322\0\0\20\0\0\0\0\f\0\0\1\0\0\0\1\0\0\0\0\10"..., 260) = 260
close(4)                                = 0
munmap(0x2b231c21c000, 2407832)  

-------------------------------
additional info:

 /root/.certicom/sbcp  directory does exist - and it has sbcppri.db , sbcppub.db, sbcpso.db directories. (but not the sbcpuser.db directory)

-- when i created the /root/.certicom/sbcp/sbcpuser.db directory and again try to change the token password - no joy there too.

First, I do not know why it failed.  But I can come up with some thing for you to try.
on a 32 bit machine, create the following directory:
 /root/.certicom/sbcp/sbcpuser.db

sftp to gamma, and cd into the directory with the same path, and get the files over to your 32 bit machine. put them under the same path.

now try your changepw again.  the old password is redhat.

just realized one reason this trick would not work.  The old certicom dbs I have are from the old certicom lib and the token names are different:
	token: Certicom Cert/Key Services
while the new token has name:
        token: Certicom FIPS Cert/Key Services

I think it's best to ask certicom about it.

This is to document what to do once the certicom library is added and initialized (the steps to get to this point will be provided later):

edit file /usr/bin/dtomcat5-<instance name>
e.g.
vim /usr/bin/dtomcat5-pki-ca
At the very beginning of the file, right after the line
  umask 00002
you add
  export NSS_USE_DECODED_CKA_EC_POINT=1
restart the server.

on the client side, at the shell where you wish to start browser, set the same flag:
  export NSS_USE_DECODED_CKA_EC_POINT=1
start browser,
then you need to load the certicom library:
go to Edit, Preferences, Advanced, Security Devices,
then load the certicom module
  certicom
  /usr/lib64/libsbcpgse.so
login to the token:
  Certicom FIPS Cert/Key Services
import the agent cert (presumablely you had configed it in another browser, exported the admin cert)

now you can access both the ee ssl page and the agent page.

Verified. token password can be changed using the sample binary provided from certicom.(but the password("userpassword" is hard-coded in the sample.c)

Refer the below bugzilla for configuring CA with certicom ECC module: https://bugzilla.redhat.com/show_bug.cgi?id=507428